// Trust & Security Report
FrontApp, Inc.
AI-powered customer service and shared inbox platform
Certifications held
7
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.front.com“SOC 2 listed under Compliance on trust.front.com; downloadable resource: Engagement letter_FrontApp, Inc. SOC 2 .pdf”
Verify on trust.front.com“ISO 27001:2013 listed under Compliance on trust.front.com; downloadable resource: ISO 27001 Certificate 8/2024 - 8/2027”
Verify on trust.front.com“ISO 27001:2022 listed as a separate Compliance item on trust.front.com, shown alongside ISO 27001:2013”
Verify on front.com“GDPR listed as COMPLIANT on trust.front.com; DPA effective February 1, 2024 incorporates Module 2 SCCs (Controller to Processor) governed by Irish law for EU transfers; UK Transfer Addendum and Swiss FADP adaptation also documented”
Verify on trust.front.com“CCPA COMPLIANT listed under Compliance on trust.front.com; privacy notice addresses California consumer rights”
Verify on front.com“HIPAA listed on trust.front.com with FAQ for HIPAA.pdf available; BAAs offered to qualifying customers: 'Front reserves the right to enter into BAAs for Customers whose annual contract price with Front meets a certain threshold.' AI features (Autopilot, Copilot, AI Answers, Live Chat/Chatbots) are explicitly excluded from HIPAA coverage.”
Verify on trust.front.com“Front PCI SAQ A Compliance listed under resources on trust.front.com. SAQ A is the self-assessment questionnaire for merchants that outsource all cardholder data functions, not a full PCI DSS certification by a QSA.”
> Show 6 unconfirmed / not-held certifications
source: trust.front.comNo public evidence of FedRAMP authorization found on trust.front.com, front.com/security, or front.com/legal pages.
source: trust.front.comNo public evidence of ISO 27017 certification found on trust.front.com or any Front-domain pages.
source: trust.front.comNo public evidence of ISO 27018 certification found on trust.front.com or any Front-domain pages.
source: trust.front.comNo public evidence of ISO 27701 certification found on trust.front.com or any Front-domain pages.
source: trust.front.comNo public evidence of ISO 42001 certification found on trust.front.com or any Front-domain pages.
source: trust.front.comCAIQ document is listed in trust.front.com resources (indicating the questionnaire was completed), but no CSA STAR Level 1 or Level 2 certification listing was found.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Primarily United States (AWS infrastructure). EU data transfer mechanisms in place via SCCs and UK/Swiss addenda. EU regional hosting mentioned on security page but no contractually guaranteed EU-only residency in the DPA.
Supplemental Terms explicitly state: 'Front prohibits Subprocessors to use Customer Data to train foundation models.' AI subprocessors are OpenAI, Microsoft, and AWS. However, the SaaS Services Agreement (Section 4.3) reserves Front's right to use customer data 'to provide and improve the Services,' and the trial/beta carve-out in Section 12 permits expanded data collection for service improvement 'irrespective of whether Customer had opted-out.' Foundation model training is clearly prohibited; broader service-improvement usage is permitted and not opt-out-able in trials.
// Security controls
Infrastructure
Amazon Web Services (AWS), multi-availability-zone deployment with daily backups and automatic scaling
front.comPenetration testing
Annual independent third-party penetration tests; 2025 and 2026 results listed on trust.front.com
trust.front.comAuthentication
Two-factor authentication (2FA), SAML-based SSO, OAuth for Office 365 and Gmail
front.comContinuity and disaster recovery
DR plans established and tested (listed as trust center controls)
trust.front.comCybersecurity insurance
Maintained; Certificate of Insurance available via trust.front.com
trust.front.comSubprocessors
Listed at https://front.com/legal/list-of-subprocessors; 30-day notice required before new subprocessors added, with customer objection rights
front.com// Products & data scope
data: Customer emails, conversations, contact data, team collaboration content, attachments
SOC 2 Type II and ISO 27001:2022 apply. HIPAA BAA available for eligible customers (minimum annual contract value required). GDPR covered by DPA with SCCs.
data: Customer conversation content processed by OpenAI, Microsoft, AWS subprocessors
AI subprocessors contractually prohibited from training foundation models on customer data. Autopilot and Copilot are explicitly excluded from HIPAA BAA coverage. No ISO 42001 certification. Outputs are 'computer-generated without human review by Front, and may be inaccurate, incomplete, and/or biased' per supplemental terms.
data: Help articles and documentation; not covered under HIPAA BAA
Excluded from HIPAA coverage. GDPR/SOC 2 protections apply.
// What to watch
- SOC 2 2025 audit was listed as 'in progress' as of September 24, 2025 on trust.front.com; bridge letter and engagement letter available but the formal Type II report for the period ending ~August 2025 may not be finalized yet.
- HIPAA BAA requires an undisclosed minimum annual contract value — not available to all customers; AI features (Autopilot, Copilot, Live Chat, AI Answers, Knowledge Base) are explicitly excluded from HIPAA BAA scope.
- PCI compliance is SAQ A self-assessment only (the lowest-tier questionnaire for merchants outsourcing all card data functions), not a full QSA-validated PCI DSS certification.
- SaaS agreement Section 4.3 gives Front broad rights to use customer data 'to provide and improve the Services.' Trial/beta carve-out (Section 12) permits data use for service improvement irrespective of opt-out choices.
- No ISO 27017, 27018, 27701, or ISO 42001 (AI Management System) certifications found despite active AI product suite with multiple AI subprocessors.
- CAIQ completed (listed in trust center resources) but no CSA STAR Level 1 or Level 2 listing confirmed.
- Default data residency is US; EU residency not contractually guaranteed in DPA despite SCCs being in place for cross-border transfer compliance.
- AI output disclaimer in supplemental terms warns outputs may be 'inaccurate, incomplete, and/or biased' with no warranty from Front — relevant for regulated-industry customers.
// At a glance
Pricing model
Subscription SaaS (per seat/month); enterprise tiers with annual contracts required for HIPAA BAA eligibility
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on FrontApp, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.front.com